Award-winning news, views, and insight from the ESET security community

Not every Botnet is Conficker

If it was the intention of the Conficker gang to create a huge splash, they succeeded. (In fact, it’s quite possible that they’ve attracted more attention than they really wanted.) In any case, it seems that lots of people are looking nervously over their shoulders for any indication that something unpleasant and Conficker-related is about

If it was the intention of the Conficker gang to create a huge splash, they succeeded. (In fact, it’s quite possible that they’ve attracted more attention than they really wanted.) In any case, it seems that lots of people are looking nervously over their shoulders for any indication that something unpleasant and Conficker-related is about

If it was the intention of the Conficker gang to create a huge splash, they succeeded. (In fact, it’s quite possible that they’ve attracted more attention than they really wanted.)

In any case, it seems that lots of people are looking nervously over their shoulders for any indication that something unpleasant and Conficker-related is about to happen. Several times in the past week I’ve been asked whether such and such an issue is That Worm turning….

Today there’s it’s been widely conjectured that reports of Distributed Denial of Service (DDoS) attacks on a number of Russian web sites are evidence of Conficker stepping it up its activities. Most of the excitement seems to derive from a story run by Webplanet.ru, an online Russian daily, which talks about attacks on tonks.ru, roem.ru and others.

However, we’ve seen no evidence that any of these attacks are Conficker related, and in fact, at least one of them definitely isn’t (another botnet is known to be responsible for the attack on tonks.ru). Russia does seem to have a lot of Conficker infected machines, but that doesn’t mean they’d be used for attacks in Russia. In fact, some recent malware (including the earliest version of Conficker) has avoided using machines in certain countries (Ukraine, in the case of W32/Conficker.A), probably to avoid law enforcement-related complications.

It’s no secret that there are large numbers of infected machines elsewhere, too, even if there’s some controversy about exactly how many. So if the Conficker botmasters did decide to launch a DDoS attack against a specific site or sites, it could be very effective, if they chose and were able to mobilize enough machines. But it’s a mistake to assume, as some have, that the only likely use for a large botnet is to launch huge Denial of Service attacks. In fact, it probably makes more sense to use comparatively small groups of compromised machines, making it harder for the good guys to trace which machines are in use at any one time and taking some sort of remedial action.

Still, people like the idea of a dramatic, even apocalyptic event, and the idea has resurfaced that the Conficker botnet will be used for a massive attack on the internet itself. I think that’s unlikely. Bringing down huge tracts of the net would probably not offer much in the way of profit.

Does that mean there’s nothing to worry about? Of course not. We’re still seeing plenty of Conficker (including some slightly different samples which we’re still able to detect proactively). And we’re watching carefully. But as Randy has pointed out, there are plenty of other threats worth at least as much attention.

Thanks to Pierre-Marc, Jose Nazario, and Igor Muttik for their help in researching this issue.